Linux Kernel Flaw Puts Millions of Devices at Risk

A local privilege escalation vulnerability introduced in the Linux kernel in 2012 exposes tens of millions of Linux PCs and servers, and roughly two-thirds of phones and tablets running Android to malicious attacks.

The vulnerability, identified as CVE-2016-0728, was discovered recently by researchers at Israel-based security startup Perception Point. The flaw affects version 3.8 and later of the Linux kernel, and allows an attacker to achieve kernel code execution and gain root privileges on the targeted system.

Perception Point and the Linux kernel security team said they haven’t seen exploits designed to target this vulnerability in the wild.

The security bug is related to the keyring, a facility that allows drivers to retain and cache security data, encryption and authentication keys, and other data in the kernel. These objects can be managed by userspace programs via available system call interfaces.

“Function join_session_keyring in security/keys/process_keys.c holds a reference to the requested keyring, but if that keyring is the same as the one being currently used by the process, the kernel wouldn't decrease keyring->usage before returning to userspace. The usage field can be possibly overflowed causing use-after-free on the keyring object,” Red Hat wrote in its bug report.

The developers of popular Linux distributions are working on addressing the vulnerability and users are advised to install the patches as soon as they become available. In the meantime, Perception Point noted that security features such as Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Prevention (SMAP), and the SELinux security module in the case of Android make exploitation of the vulnerability more difficult.

Even after the patches are released, it will likely take some time until they are installed on all Linux machines.

In the case of Android, many devices will probably never receive the fix. Some device manufacturers, such as Google and Samsung, have started pushing out regular security updates, which are easier to install in more recent versions of Android. However, patches for devices running older versions of Android are few and far between, and installing them is not always easy for regular users.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.